Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sanction Ransomware Help and Support Topic- .Sanction


  • Please log in to reply
10 replies to this topic

#1 TechGuru11

TechGuru11

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 PM

Posted 12 February 2016 - 01:10 PM

Hi everyone,
 
New ransomware renames files to .sanction. We attempted to pay the ransom and no luck. It redirects to a Google search page when submitting the payment in the how_to_decrypt document. I've attached files relating the ransom.
 
https://www.sendspace.com/file/9r9xg9
 
Anyone come across this before? Found no hits on Google. Thanks in advance for any help!

Edit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:07 PM

Posted 12 February 2016 - 01:56 PM

Hi TechGuru11,

 

Looks new to me, do you know how you were infected (visit a suspicious website or open an email attachment recently, for example)?

 

Samples of ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) or here (http://www.bleepingcomputer.com/submit-malware.php?channel=170) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts. 

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 PM

Posted 12 February 2016 - 02:04 PM

OP is scanning for any malicious files, I suggested MBAM. He said he didn't initially see any. They did pay the ransom, but were never given a decrypter. There is no contact information in the ransom note itself, just a form that submits POST data to a website (hxxp://v-crimea.ru/write.php).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 TechGuru11

TechGuru11
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 PM

Posted 13 February 2016 - 11:33 AM

Hello Polar Bear,

 

Thank you for your response. I have uploaded the suspected executable to that link and included a description. I am not aware of how the user was infected and they are not sure either. We did attempt to pay the ransom as well and did not receive a decryptor. This appears to be a scam. 

Thank you in advance for your help. 



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 PM

Posted 13 February 2016 - 12:02 PM

Do you have a sample of an encrypted file with its clean counterpart (from backup or something)? Or if you have a sample of an encrypted "Sample Picture" (C:\Users\Public\Sample Pictures). That may help with analysis.

 

In the meantime, while this is being looked into, you can try recovery tools to retrieve data. We never know if this new variant goes the extra steps on deleting things.

 

Even though this FAQ is for another ransomware, the section about using recovery tools is the same. Try a few of the instructions here to run R-Studio, PhotoRec, Recuva, and ShadowExplorer.

 

http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information#restore


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:07 PM

Posted 13 February 2016 - 03:02 PM

xXToffeeXX and I looked into the ransomware just now. The malware authors can't decrypt your files, because they forget to save the per file keys anywhere. Fortunately they are equally as stupid when it came to generating those keys to begin with, so we should be able to decrypt the files anyway. Give me some time to work it out please.

Shoutout to Utkusen for once again giving dangerous code to idiots who then go on and make ransomware. It's based on HiddenTear once again.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#7 tachion

tachion

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 14 February 2016 - 01:21 PM

Hmm

 

Ransomware admin panel http://v-crimea.ru/



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 PM

Posted 14 February 2016 - 01:32 PM

I was able to break into it, but there seems to be no keys. There are 8 bitcoin addresses listed with 0 balance, not sure if they represent victims. The panel is rather empty and non-functional otherwise.

 

2016-02-14_1238.png


Edited by Demonslay335, 14 February 2016 - 01:37 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 PM

Posted 17 February 2016 - 07:46 PM

As an FYI to anyone interested, here is a list of file types this ransomware targets. It enumerates all possible drive letters mapped to the system, so it will only encrypt anything it has access to via that way (no SMB sniffing or anything like that). Seems to target common pictures, Office files, Photoshop files, and some code sources.

.txt, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, sln, .php, .asp, .aspx, .html, .xml, .psd

Every single file is encrypted with a different random password that even the malware developer would have no way of retrieving, since they don't send it to themselves at all. As Fabian said, it does have a flaw with the key generation, but will be fun to implement the correct way of brute-forcing it. One struggle is the ransomware encrypts the files in a way that it will be difficult to discern if decryption was successful. Some file types may not be too difficult, but something like a text file (.txt, .csv, .sql, .php, .asp, .aspx, .html, .xml) won't have any guarantees of working the first time, as there is no way to verify the header.

 

Infection vector is assumed to be manual RDP or email sending. Nothing mass-marketed or pushed through exploit kits.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 vcesar1

vcesar1

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 21 September 2017 - 04:10 PM

hello to all, my rescue note directs me to this forum, the encryption extension is crypt. I attach the redemption note
 
 
WARNING!!! Your files are encrypted!
Your personal ID:
61 91 AF 9A 2B E0 22 09 3B 67 D2 94 5C 18 78 28
C7 FC 6F 42 46 0A 44 A9 23 57 C3 22 BB F7 68 74
71 58 C7 C8 07 EE 01 7B 7E 7A F4 EF 32 AC 75 A6
48 F8 63 91 40 22 3B 11 26 9B 00 FD 15 20 D4 4C
58 84 B7 D6 C7 B8 0B 29 36 41 93 5D AA 61 D0 5F
88 EA AA 2D 20 86 E0 41 95 BE F2 59 F2 AC 3E BE
8E 92 39 84 95 B6 D3 5A 3C 7F EB F3 7A 6F E8 9B
42 46 FB 51 79 CA 1B 9F B1 43 06 71 92 35 51 3F
Save the ID before doing anything on the computer!!! Be sure to save this ID, without it decryption is impossible!!!
All your files (databases, documents, tables, backup's, etc.) are encrypted with the most cryptographic encryption algorithm RSA-2048, decryption is possible only with the help of our decoder.
To recover data you need decryptor.
Instructions for obtaining a decryptor:

Send your ID to the mailbox below and wait for the answer:decryptyour@gmail.com In the response letter there will be instructions for decoding.

 
Attention!
  • Do not attempt to remove the program or run the anti-virus tools
  • Attempts to self-decrypting files will result in the loss of your data
  • Decoders other users are not compatible with your data, because each user's unique encryption key


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:07 PM

Posted 21 September 2017 - 04:42 PM

...my rescue note directs me to this forum, the encryption extension is crypt....

Demonslay335 identified your ransomware infection as GlobeImposter 2.0 in your original topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users